search

saltstack / pepper

A library and stand-alone CLI tools to access a salt-api instance
Other
245 stars 122 forks source link

TLS issues are always ignored #219

Open eliasp opened 3 years ago

eliasp commented 3 years ago

When the API endpoint uses a self-signed/invalid/untrusted certificate, Pepper ignores this and connects anyway.

Thanks to badssl.com this can be easily reproduced by adding this section to ~/.pepperrc:

[tls-self-signed]
SALTAPI_URL=https://self-signed.badssl.com/
SALTAPI_USER=johndoe
SALTAPI_PASS=hunter2

Then execute pepper -p tls-self-signed '*' test.ping.

The result:

Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).

I wouldn't expect it to be able to get a 404 response, it should fail way before that when trying to establish the TLS connection.

Increasing the verbosity using -vvv shows:

Error with request
Traceback (most recent call last):
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
    f = urlopen(req)
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found
Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).
Uncaught traceback:
Traceback (most recent call last):
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/script.py", line 52, in __call__
    for exit_code, result in self.cli.run():
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 670, in run
    self.login(api)
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 634, in login
    auth = login(**self.parse_login())
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 467, in login
    self.auth = self._send_auth('/login', **kwargs).get('return', [{}])[0]
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 449, in _send_auth
    return self.req(path, kwargs)
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
    f = urlopen(req)
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found

I suspected the following code to cause the issue (wrongly negating _ssl_verify): https://github.com/saltstack/pepper/blob/8096e0896417ef9b533c7b99dac77535c6eba15d/pepper/libpepper.py#L226-L231 but removing not didn't change the outcome, so I suspect there's something else going on.

Using:

tjyang commented 2 months ago

@eliasp , Thanks for this dated report. This still happening on salt-master 3006.8 onedir instance.